Onboard Microsoft Copilot Studio to SaaS Agent Security

Table of Contents

Onboard Gemini Enterprise to SaaS Agent Security

Onboard Salesforce Agentforce to SaaS Agent Security

Onboard Microsoft Copilot Studio to SaaS Agent Security

Onboard Microsoft Copilot Studio to SaaS Agent Security to gain deep visibility and security for your AI-powered Microsoft copilots and apps.

Where Can I Use This?	What Do I Need?
Strata Cloud Manager	SaaS Agent Security license Or any of the following licenses that include the SaaS Agent Security license: CASB-X CASB-PA SaaS Security Posture Management license

Where Can I Use This?

What Do I Need?

Strata Cloud Manager

SaaS Agent Security license

Or any of the following licenses that include the SaaS Agent Security license:

CASB-X
CASB-PA
SaaS Security Posture Management license

Onboard Microsoft Copilot Studio to SaaS Agent Security to gain deep visibility and security for your AI-powered copilots and apps.

Optional: If you want SaaS Agent Security to show user identity, onboard the Microsoft Copilot Studio SaaS Security Posture Management connector before onboarding Microsoft Copilot Studio to SaaS Agent Security.

Prerequisites

Ensure you have Administrative privileges in the Microsoft Azure portal to register apps and grant API permissions.
Ensure you have System Administrator or Power Platform Administrator role to add app users to the relevant environment.

Onboarding Microsoft Copilot Studio to SaaS Agent Security consists of the following two main steps:

Configure Permissions in Microsoft Azure—Create an app registration in your Microsoft Azure Portal to grant Palo Alto Networks® secure, read-only access to your Microsoft Copilot Studio environment.
Onboard Microsoft Copilot Studio to SaaS Agent Security—Use the credentials generated during the configuration process to establish the connection the Palo Alto Networks SaaS Agent Security platform and your Microsoft Copilot Studio environment.

Register a new app in Microsoft Azure.
1. Log in to Microsoft Azure Portal.
2. Navigate to or search for App registrations.
3. Click + New Registrations.
4. Enter a descriptive Name for the app. For example, PaloAltoNetworks_Agent_Security_Connector.
5. Register.
Configure API permissions for the new app.
1. From the new app details page, select ManageAPI permissions.
2. Click + Add a permission.
3. Add the following Microsoft Graph permissions:
  Application.Read.All
  AuditLog.Read.All
  AuditLogsQuery-CRM.Read.All
  AuditLogsQuery.Read.All
4. Click Add permissions to save the app API permissions.
5. The permissions you added require admin consent. On the Configured permissions page, Grant admin consent for <your-organization>.
6. In the confirmation page, select Yes to grant admin consent for your organization.
Create a Client Secret for the new app.
1. From the new app details page, select Managecertificates & secrets.
2. Add a + New client secret.
3. Enter a description (for example, SaaS_Security_Key) and select an expiration period.
4. Add the Client Secret.
5. Copy the Client Secret Value and store it in a secure location.
Grant the app access in the Microsoft Power Platform admin center.
1. Log in to Microsoft Power Platform Admin Center.
2. Select ManageEnvironments and select your Copilot Studio environment.
3. Select SettingsUsers + permissionsApplication users and click + New app user.
4. Click + Add an app and search for the app you created in the previous step.
5. Select the correct Business unit from the drop-down.
6. Click the pencil icon next to Security roles and then assign the Service Reader role.
7. Click Create to save the app access privileges.
Gather the required information to onboard Microsoft Copilot Studio to SaaS Agent Security.
- Environment URL—Found on the environment's main page in the Microsoft Power Platform Admin Center.
- Application (Client) ID—Displayed in the app Overview in the Microsoft Azure Portal.
- Directory (Tenant) ID—Displayed in the app Overview in the Microsoft Azure Portal.
- Client Secret Value—The Client Secret you copied and stored in a secure location when creating the Client Secret for the app.
Onboard Microsoft Copilot Studio to SaaS Agent Security.
1. To start onboarding Microsoft Copilot Studio to SaaS Agent Security, log in to Strata Cloud Manager.
2. Select InsightsSaaS AgentsAgent Platform OnboardingOnboard Agent PlatformMicrosoft Copilot Studio and click Next.
3. Ensure you have completed all the three steps mentioned in the following onboarding wizard and then Get Started.
  
  Set up your Microsoft Copilot Studio environment if you have not already done so.
4. On the Authorization Method Selection page, the API authentication method is selected by default. Click Next.
5. On the Onboard Agent Platform page, enter the following information (that you gathered in STEP 5) and click Next.
  Tenant ID
  Client ID
  Client Secret
  
  SaaS Agent Security notifies you when Microsoft Copilot Studio successfully onboards. SaaS Agent Security returns one of the following errors if Microsoft Copilot Studio fails to onboard:
  
  Permission Errors during Scan— Verify you entered all credentials correctly and that you granted Admin Consent when you configured the Azure API Permissions.
  Connection Test Fails— Confirm you assigned the Service Reader role in the Power Platform Admin Center.
SaaS Agent Security immediately begins to scan your onboarded agentic platform after a successful validation.

The amount of time SaaS Agent Security takes to scan varies based on the amount of data it is required to scan. At a minimum, it takes at least one hour to scan and display data in the SaaS Agent Security dashboard.